Lazarus targets macOS with crypto-currency malware

Researchers from Kaspersky Lab's Global Research and Analysis Team (GReAT) have uncovered a new malicious operation, dubbed 'AppleJeus', which is linked to the North Korean advanced persistent threat (APT) group, Lazarus.

The group, which is notorious for its cyber espionage and cyber sabotage attacks, as well as financially motivated attacks, penetrated the network of a crypto-currency exchange in Asia using crypto-currency trading software.

Targeting macOS

The attack was designed to steal crypto-currency and, in addition to Windows-based malware, researchers identified a previously unknown version targeting the macOS platform.

Although the Lazarus Group has been behind many previous campaigns, this the first time that Kaspersky Lab has seen the group distributing malware that targets macOS users. "It represents a wake-up call for everyone who uses this OS for crypto-currency-related activity," says Kaspersky.

Based on the researchers' analysis, the penetration of the stock exchange's infrastructure began when an unwitting employee downloaded a third-party application from a legitimate-looking Web site of an organisation that develops software for crypto-currency trading.

According to the researchers, the application's code does not seem suspicious, with the exception of an updater. In legitimate software, updaters are used to download new versions of programs, but with AppleJeus, the component acts like a reconnaissance module.

It starts by collecting basic information about the machine upon which it has been installed, then sends this information back to the command and control server. If the attackers decide the target is worth pursuing, the malware comes back in the form of a software update.

AppleJeus then installs a Trojan called Fallchill, a tool that the Lazarus Group has employed in the past, which gave the researchers a basis for attribution.

Unlimited access

"Upon installation, the Fallchill Trojan provides the attackers with almost unlimited access to the attacked computer, allowing them to steal valuable financial information or to deploy additional tools for that purpose," Kaspersky adds.

The macOS platform is generally targeted far less by cyber threats than Windows and, in this case, functionality of both versions of the malware is identical.

Another element that makes this malware anomalous, is that while it appears to be a supply chain attack, this is not necessarily the case.

The vendor of the crypto-currency trading software that was used to deliver the malicious payload to its victims has a valid digital certificate for signing its software and legitimate-looking registration records for the domain. However, on the information available at the time, Kaspersky Lab could not identify any legitimate organisation located at the address used in the certificate's data.

Targeting crypto-currency exchanges

Vitaly Kamluk, head of the GReAT APAC team at Kaspersky Lab, says his organisation noticed the Lazarus Group's growing interest in crypto-currency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator.

Since then, the group has been seen targeting crypto-currency exchanges alongside regular financial organisations several times.

"The fact that they developed malware to infect macOS users in addition to Windows users, and most likely even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future," adds Kamluk.

Don't trust the code

In order to protect against sophisticated cyberattacks from groups like Lazarus, Kaspersky Lab advises users and businesses to not automatically trust the code running on their systems. "Neither an authentic-looking Web site, nor a solid company profile, nor digital certificates guarantee the absence of backdoors."

Next, it says to use a robust security solution that features malicious behaviour-detection technologies that enable even previously unknown threats to be caught.

Also, Kaspersky advises to subscribe to a high-quality threat intelligence reporting service in order to get early access to information on the most recent developments in the tactics, techniques and procedures of sophisticated threat actors.

"Use multifactor authentication and hardware wallets if you are dealing with significant financial transactions," Kaspersky advises. "For this purpose, preferably use a standalone, isolated computer that you do not use to browse the Internet or read e-mail."